Policy - Document Ref: QX2-GDPR04
Scope
Technical Innovation Servis (T.I.S.) collects and processes certain personal data related to individuals, including customers, suppliers, business contacts, employees, training candidates, and others with whom the organization has or may have a relationship.
This policy outlines how personal data must be collected, handled, and stored to ensure compliance with the company's data protection standards and to meet legal requirements. The goal is to protect the privacy and security of personal data while adhering to applicable data protection laws.
Normative references
- General Data Protection Regulation (GDPR) 2018– Legislation governing the processing of personal data within the European Union.
- QX3-CP-Confidentiality Policy– Internal company policy outlining the confidentiality practices and obligations regarding personal data.
Definitions
Data– Refers to personal information about an individual or organization, such as names, emails, dates of birth, addresses, and other identifying details. This can also include sensitive data, such as health information, financial details, or other data protected by privacy laws.
Objectives
This data protection policy aims to ensure that Technical Innovation Servis;
- Complies with data protection laws and adheres to best practices.
- Protects the rights of staff, customers, and partners.
- Is transparent about how it stores and processes individuals' data.
- Minimizes the risk of a data breach and takes steps to protect itself from potential threats.
The General Data Protection Regulation (GDPR), which came into effect on 25th May 2018, represents the most significant overhaul of data protection law in two decades. The GDPR adopts a privacy-by-design approach and emphasizes risk-based strategies, ensuring that data protection measures are robust and meet the challenges of the digital age.
Procedures
To ensure that all personal and sensitive data is securely stored and protected from unauthorized access, theft, or loss, in compliance with data protection regulations.
Paper-Based Data Storage
Secure Location: Personal data on paper should be stored in a locked drawer or filing cabinet, inaccessible to unauthorized individuals.
Confidentiality: Printed documents should never be left unattended in open areas (e.g., printers or desks).
Shredding: Once no longer needed, paper records must be shredded or securely destroyed.
Electronic Data Storage
Password Protection: Data must be protected by strong, regularly updated passwords. Sharing passwords is prohibited.
Removable Media: Store USB drives and similar devices in a secure location when not in use.
Designated Storage: Use approved drives, servers, or cloud services for storing data, ensuring compliance with security standards.
Secure Servers: Servers containing personal data should be kept in secure, restricted areas.
Data Backup: Ensure regular data backups and periodic testing for reliability.
No Local Storage on Devices: Personal data should not be stored on laptops or mobile devices unless encrypted and secured.
Security Software: All systems storing data must be protected by approved security software and firewalls.
Data Handling and Security
Locked Screens: Computers should be locked when left unattended.
No Informal Sharing: Do not share personal data informally (e.g., via email) unless its is password protected.
Encryption: Sensitive data transferred electronically must be encrypted.
No Transfers Outside EEA: Personal data should not be transferred outside the EEA unless legal safeguards are in place.
Centralized Data: Only store data in centralized, secure systems, and avoid saving personal data to personal devices.
Data Accuracy
Minimize Data Locations: Store personal data in as few places as necessary to reduce discrepancies.
Regular Updates: Update data regularly, confirming details with data subjects when possible.
Easy Data Updates: Provide accessible ways for individuals to update their data.
Correcting Inaccuracies: Immediately update any inaccurate or outdated data.
Right to Know: Individuals can request details of their personal data and its use.
Right to Access: Individuals can request access to their personal data.
Right to Update: Individuals can request updates to inaccurate data.
Right to Transparency: Individuals can inquire about how their data protection rights are being fulfilled.
Information Security Measures
Access Controls: Restrict data access to authorized personnel only.
Password Protection: Enforce strong password policies.
Authentication: Use multi-factor authentication and other security protocols.
Restricted Access: Limit access to personal data based on job role and necessity.
Responsibilities
The importance of personal data accuracy directly influences the level of effort TIS must dedicate to maintaining it. All employees who handle data are responsible for taking reasonable steps to ensure its accuracy and currency.
